How to make your website GDPR compliant

The General Data Protection Regulation (GDPR) came into force on 25 May 2018.

It supersedes the Data Protection Act 1998 and introduces tougher fines for non-compliance and breaches. GDPR also gives people more say over what companies can do with their data.

Any data you gather on your website must now be processed lawfully, transparently and for a specific purpose. This could include obvious data such as names, addresses and contact numbers but also less obvious data that you may not be aware of such as cookies and IP addresses.

There are a number of steps that you can take to achieve GDPR compliance with your website data processing.

1. Undertake a data flow audit

Start the process by identifying data sources on your website (contact forms, newsletter sign-ups etc) and map the flow of data once someone completes a form. Are all the contact fields necessary? Data minimisation is a key principle relating to the processing of personal data. Limit the data to what is necessary by only gathering what you need.

A key part of GDPR is being aware of who has access to personal data that you log and store on your website’s content management system. Review who can access the data you gather and restrict access to only those that genuinely need it.

2. Understand consent guidelines

If you plan to send email marketing or newsletters to anyone who submits your web forms, GDPR requires that you get their explicit consent to do so. This means active opt-in from the user through unchecked boxes on web forms.

Consent must be granular, so you need to feature separate check boxes for different types of processing. For example, if you plan to use the data for post, email or telephone communication, or pass user details onto a third party, then you must feature a separate, unchecked box detailing each data processing purpose.

Opt-in should also be unbundled, meaning consent requests must be separate from acceptance of other terms and conditions.

GDPR also states that consent must be easily withdrawn if an individual no longer wants to provide their data. Include text on your form that details how users can unsubscribe at any time, and ensure there is an obvious unsubscribe link on any subsequent email communication you send.

3. Keep a record of consent

GDPR requires you to keep a record of consent given by users. You need evidence of who consented, when they consented, the version of the form at the time of consent and whether they have withdrawn consent.

4. Identify your lawful basis for data processing

To legally process data under the GDPR, you must have a lawful basis to do so. The Information Commissioner’s Office outlines the six lawful bases for processing data on their website. Once you’ve identified your lawful basis, you must ensure this is clearly stated in the your privacy notice.

5. Update your privacy policy

You must publish what data you collect, why it is processed and who you share it with on your website privacy notice. You must also inform users how they can view information you have stored on them and how they can ask for their data to be removed from your system, amongst other things. Check the ICO website for a full list of what you need to include in your privacy notice.

6. Provide a cookie policy and banner notice

Your cookie policy should outline the use of cookies and explain to users how they can opt out of cookie tracking in their browser’s privacy settings.

Cookie banners that appear when you first visit a website have been a requirement for some time, but GDPR has changed the way we warn users about cookies and tracking. Web visitors must be informed about the site's use of cookies, take clear affirmative action to accept them and be able to choose which types of cookies to accept.

7. Encrypt your data with an SSL certificate

Any data submitted to your site must be encrypted to comply with GDPR and you can achieve this by installing an SSL certificate on your site. To check whether you have an SSL certificate, look for the padlock icon in the address bar of your website. If the symbol is missing, then you need to install an SSL certificate which will enable the https protocol for secure data transfer. This is a quick and simple task and will give your customers confidence that any information they submit on your site is secure.

Web Foundry can provide you with help and advice on how to make your website GDPR compliant. Whilst we can advise on some of the steps you can take to make your website GDPR compliant, you should seek legal counsel on how be fully compliant with your data processing in general.

ORIGINALLY WRITTEN MAY 2018; UPDATED APRIL 2019

Don't get caught out, become GDPR-compliant today!

Contact us now for more information and advice on GDPR website best practices.